Posted
by
Soulskillon Friday March 16, 2012 @12:22PM
from the hand-in-the-cookie-jar dept.

An anonymous reader writes "Last month we discussed news of a controversial method Google was using to bypass Safari's privacy settings in order to enable certain features for users who were logged in to Google. Now, U.S. regulators are investigating Google's actions to see whether the search giant has violated the privacy protection agreement they signed last year that includes a clause prohibiting Google from misrepresenting how users control the collection of their data. 'The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. ... A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.' European regulators are adding the Safari investigation to their review of Google's consolidated privacy policy."

The thing people are continuously forgetting about all of this is that the bug in question was in the open source Webkit, which both Safari and Chrome are based on, and Google had already submitted a patch to fix the bug before any of this even became an issue.

This all seems a lot more about this [falkvinge.net] than any sort of legitimate complaint the government has about what Google is doing. If the government had literally done nothing, the problem had already been solved before they became involved -- but now we have a big dog and pony show. Cui bono? Microsoft.

Let me give you an example. If you want to jailbreak an iPhone, you have to find a security vulnerability. Like, a real one, not this "well if you submit a form then it isn't considered a third party cookie" grey area nonsense, a real root shell "exploit." Is the company that makes the jailbreak website then "exploiting privacy vulnerabilities" because having rooted the phone, the software could in theory then send all the user's pictures and web hi

Who said anything about stealing credit card numbers? You're conflating issues radically. This isn't a grand theft trial, and nobody is talking about taking root access to your PC. This is a probe into whether Google is adhering to privacy agreements.

My best guess is that you're objecting to the AC's use of the term "exploit" in the context of privacy (or maybe the term "vulnerability")? But what else do you call it if you say the hole is being used? It's a vulnerability, in the privacy field, which is

As for whether it's a grey area, if Google submitted a patch to end this behaviour as you say, presumably they thought the behaviour was wrong. Otherwise, why did they submit the patch?

It's a pretty obvious false negatives vs. false positives trade off. There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff. But they also get used by ad networks to track people between websites, which can be undesirable. The problem is that the dividing line between first and third party cookies is very blurry (e.g. is fbcdn.net 'third party' when you're on facebook.com?) and even trying to make the distinction is somewhat questionable. So you draw a line a

Crap! and my mod points just expired. Someone mod the parent up! I think people fail to realize that 50% of web development involves "hacking" web browsers just to get legitimate functions to work consistently. (Well, maybe less than 50% now that IE6 is finally getting less support.)

While it is possible that Google violated an agreement here, that has limited relation to this being an "exploit". The negative connotation and inaccuracy around the terminology is misleading.

I say the right to privacy is dead, antiquated, and probably never existed in the first place. If you want privacy then you need to consciously make an effort to protect your data. If you are not sure it is private, then assume it is not private. Don't be so beef-headed as to assume your life is private because you have not published it. I think the assholes are right, and we just don't want to admit it because of some ideological cognitive dissonance. There is no privacy on the internet. If information abo

Google refuses to play their little game so the "government" is always at their heels. Microsoft started sucking up to government a long time ago to make money. They now have a lot of pull because of this in Washington whereas Google has no political power--and it seems like they want to keep it that way. Yeah, I'm a Google fan boy, and I will be until they start playing the game. Maybe they want to track their user behavior, but the obvious treatment they receive from our Washington overlords makes it clea

So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free? Don't think that is how it works friend. I would link to the former Google employee's "Why i quit Google" over on OSNews but since they guy took a job at MSFT nobody would read it anyway, but it is looking more and more like what he posted was correct. he said in the beginning they were an engineering company that made cool stuff that you could then sell ads on, he likened it to making a top rated s

So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free?

To be perfectly honest I do think that computer hacking laws are totally redundant and should all be repealed. If you don't secure your system, blackhats in Russia and China (and Americans with identity-concealing botnets) are going to pwn you anyway, so it doesn't really matter whether you can prosecute the stupid ones in America because you need good security in any event and once you have it then the law is useless. All the law does is allow overzealous prosecutors to harass people, many of which are rea

Google had this agreement. According to Anthony Mouse below in the comments, Google knew of this problem. They submitted a bug fix. So the question for the prosecution and layperson is this, was there a way Google at this point could not abuse this bug?

Let's say there is gas pump at the only gas station in town. The pump are calibrated wrong and providing 1.5 gallons of fuel for every gallon "measured". In a fair world this would never have happened.

The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated.

You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.

On top of that, calling this a "vulnerability" or "exploit" is really pushing it. There is no obvious hard line between first and third party cookies. They have no obvious or official definition. Safari drew the line in a way that classified a lot of the borderline cases as "first party" cookies -- which actually makes a certain amount of sense, since they block third party cookies by default and over-blocking would break too many things.

So along comes, I don't know, everybody who uses cookies that would be blocked by Safari's defaults, and when they encounter Safari, they take steps to restore the original functionality. And since some (but not all) of those people are the sort of ad networks who track you in a way that made browser vendors consider an option to block third party cookies in the first place, Google submitted a patch to classify more of them as third party. Which breaks more legitimate stuff, because it's a trade off. It's not that the original default is bad, broken, or a vulnerability...it's that the line is a silly, ambiguous one to draw in the first place. What it's trying to accomplish is Do Not Track, but as a hack and consequently with a lot of collateral damage to legitimate features that everyone then scrambles to mitigate with work arounds like the one Google had been using.

So that happens, and along comes the Microsoft propaganda machine to point out that because Google is both a social network and an ad network, wouldn't it be nice to accuse the ad network of privacy violation as a result of a borderline cookie feature shared by all social networks? Give me a break.

You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.

On the other hand, Google clearly has an agenda. It includes access to as much of your data as they can manage. So it shouldn't be hard to imagine some sort of unifying goal when you read about something like this, and consider that notscripts still blows compared to noscript due to Chrome's architecture, and so on.

Two people getting together to bone a third person out of something is a conspiracy. A small handful of people deciding to lead a few products in the direction that gives their company the greatest advantage is hardly worth implying that someone is some kind of wacko over. It's precisely the Microsoft story, why should a variation be unbelievable at Google? Has human nature changed overnight? How about tactics, are they all different now?

The difference is that in the Microsoft case they actually had some, you know, evidence. The Halloween memos [wikipedia.org] and so forth. So what I'm saying is, do you have any evidence, or is it just a conspiracy theory?

Then I guess I don't really buy it. I mean Chrome and Safari are both based on Webkit, which was mostly not created by Google. (It was originally KDE and then Apple played a big role.) By the time Google entered the scene most of the major architectural decisions had already been made and implemented, so if anybody designed it in a way that makes plugins that block javascript harder, it was KDE or Apple.

Likewise this thing with the cookies: I mean think about it. If it was this huge top down conspiracy then

If I understand your point correctly it's that Google as an institution has an incentive to prevent ad blocking and so forth, which is "supported by what evidence there is," and that therefore we should ascribe that intent to the actions of its individual software engineers without any further evidence.

What I'm pointing out is that that doesn't make a lot of sense: They don't uniformly behave as though that is their goal, and in the instances where their actions are consistent with that theory (which, natur

No, you can point that out without all the hyperbole and false association. What you're doing is trolling, and now also being disingenuous. Or really stupid. And if that's a false dichotomy, please enlighten me as to what the third way might be.

Of course, but patching the hole and going after people who create malware that takes advantage of it is not an either/or choice: both are necessary, generally speaking. Google, in taking advantage of a browser exploit, is essentially stooping to the tactics used by malware authors, even though unlike them it has signed agreements and generated official privacy policies saying it'd do no such thing.

It's a browser vulnerability, yes. Apple should fix it, absolutely. However, the existence of security holes has never been a valid defence for exploiting them. If it were, then there would be almost no computer-related crimes...

Let's say you lock your car door. Someone comes along, unlocks your car door, and takes a shit on your front seat. Well, locks can be picked and people can shit in inappropriate places (cf Occupy Wall Street), so you can't prevent someone from breaking into your care and taking a shit. But that doesn't excuse anyone who does that. In fact, you could say that they, not the door lock, is the problem.

But but but, if people can't build their identity over corporate cheerleaderism, what will they do? You mean I'm really a middle-class IT drone and not a proud member of TEAM GOOGLE or TEAM APPLE? Impossible!

The ideal U.S. would not have an corporations..... just private-owned proprietorships or partnerships where the owners(s) are directly responsible for the actions of their company and managers/employees.

Nope. Corporations are necessary. Single proprietorships cannot reach the scale needed to undertake large scale economic activities such as building the world-scale infrastructure needed for say, building a modern airliner or a transcontinental railway system.

It is my understanding that it does something of the latter. It submits a form in order to set a cookie so that things like the +1 button can be set. In my mind this is part and parcel of using Google's services. The code works the same regardless of the privacy settings.

The only reason to submit this form is to circumvent Safari's security settings. If the user allowed cookies to be set without user interaction, then the form is not needed. It is needed because it tricks Safari into believing that there was some user action, when there actually wasn't one.

Your argument is basically "if they check whether the door is locked and climb through the window if it is locked, but go through the front door if it's not locked, that's bad. But if they always climb through the wind

I love Google as much as the next/. tard (and hate Apple to boot, I mean comeon, look at the evil deeds of each company and apple has so much more on it.) But Google purposely exploiting a security flaw in Safari is wrong. Plain and simple, however honestly I would like to wager Apple put it there on purpose to see if they could catch Google doing this. The reason I say this is, in chess (and corporate strategy is akin to Chess at times) one might allow themselves to lose a piece (reputation loss for Apple

Google isn't being held to the promises Safari has made, Google is being held to the agreement it had with the DoJ because in the course of collecting data about the user they deliberately circumvented, admittedly fairly weak, restrictions the user placed on their actions within the browser.

There are two entirely different issues at hand here - Safari needs to be fixed somehow (although someone further down the thread suggests this isnt an easy fix) and Google got caught with its hand in the cookie jar when it probably shouldn't have had it there.

Just because your window is open doesn't mean people are allowed to climb through it to circumvent the locked door.

restrictions Apple claimed to have placed on their actions within the browser.

The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.

This would be a completely different thing if the default had been what it is in every other browser and it was being circumvented when the user had explicitly changed it, because in that case you hav

The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.

The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.

The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.

You're begging the question. The assumption you're making is that every possible use of third party cookies is inherently a privacy violation. If all they're using them to do is to see if you're logged into Google+ (so that they can give you a +1 button), how is that a privacy violation?

It didn't break any Google functionality. This is just for ad tracking purposes.

Try Ghostery and see for yourself

You can't try it anymore because they've turned it off. But what had happened was that if you were signed into Google+, on third party websites it would check for that cookie and give you a +1 button. That doesn't inherently involve any tracking at all. The possibility exists that they were using the same cookies to also track you, but that happens on the server side, so there is no real way to know that -- all this noise about privacy violations is pure speculation.

Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.

If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked

Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.

You're collapsing "can" and "do" when they aren't the same thing. The cookie could be used to track you, if every time you visit a website they record it in a database somewhere, but has anyone provided any evidence that they were intentionally doing that?

If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked or not.

Except that they would need to read your cookie to know if you're signed into Google+ to know whether to put the +1 there at all.

And what's so bad about putting the Plus 1 button on the page regardless? I get the Facebook Like button (and a load of others) and I don't even have an account, so what makes Google special?

The entire way in which they did this screams "we want to track you", despite your protestations to the contrary. No one needs to provide evidence that there is an actual database behind it, the implementation they went out of their way to use specifically allows for it when they don't need to do it that way at all.

And what's so bad about putting the Plus 1 button on the page regardless?

They wanted you to be able to +1 ads if you like them. I kind of doubt the third party websites would be happy to see a redirect from their website to the Google+ sign in page in the event someone is not signed in.

The entire way in which they did this screams "we want to track you", despite your protestations to the contrary. No one needs to provide evidence that there is an actual database behind it, the implementation they went out of their way to use specifically allows for it when they don't need to do it that way at all.

You keep assuming that they "went out of their way" to do this somehow. More likely chain of events is that they designed it to use cookies in the first place, then someone realized it wasn't working properly on Safari and implemented a work around. Submitting a form is far, far, far less work tha

And what's so bad about putting the Plus 1 button on the page regardless?

They wanted you to be able to +1 ads if you like them. I kind of doubt the third party websites would be happy to see a redirect from their website to the Google+ sign in page in the event someone is not signed in.

I don't care what they want you to be able to do, your point is ludicrous.

Taking a random page off of Autosport.com (a site I currently have open), gives me a Twitter button which redirects to a sign in page when clicked, a LinkedIn button which redirects when clicked, a Facebook button which redirects when clicked, and indeed a Google +1 button which, surprise surprise, redirects anyway because I'm logged into a Google+ account which is not my own (business account) and requests permission to continue.

Taking a random page off of Autosport.com (a site I currently have open), gives me a Twitter button which redirects to a sign in page when clicked, a LinkedIn button which redirects when clicked, a Facebook button which redirects when clicked, and indeed a Google +1 button which, surprise surprise, redirects anyway because I'm logged into a Google+ account which is not my own (business account) and requests permission to continue.

Those are somewhat different species of buttons. The third party website in those cases specifically inserted code for the buttons so that users would +1/like/whatever the website's own content, which directly benefits the website. What I'm talking about is putting the button on an ad, which only indirectly benefits the website it's actually on (by making ads more relevant/profitable), and which might be on websites that hadn't wanted or expected an ad that would spawn a new tab just for that. I could also

Apple released a browser that had a security hole. Google exploited the security hole. If OpenSSH ships with a vulnerability that allows someone to get root access on my server, should the OpenSSH team or the attacker be prosecuted?

It's an unintended side effect of how Safari handles third-party cookies: Safari blocks third party cookies, but makes an exception for sites the user interacts with (i.e., if you click on an ad, it will allow that ad to install a cookie). So what Google is doing is basically loading a no-op form element in an iframe and automatically submitting it - this tricks Safari into behaving as if the USER submitted the form (thus interacting with the ad), allowing Google to set the cookie.

Safari WOULD block setting of the cookie without this workaround being coded & inserted into the ads being served up by DoubleClick... so it's not a case of Google being held to account for promises Safari makes, it's that Google is being held to account for intentionally exploiting a loophole in the software to abuse users. People keep trying to turn this into an "Google vs. Apple" issue, and the real issue (and where it's eroding trust in Google) is that it's a "Google vs. Users" issue. I can't trust Google to honor those settings in my browser, can I trust them to honor any other settings and preferences I set in my browser, or register with them?

There's no reason Google couldn't have instead put up a page saying "We notice you don't allow third party cookies... this will mean you can't +1 things, blah blah blah," and include instructions on changing the setting if the user wishes to enable +1's and other tracking, rather than simply disregarding the users' settings and exploiting the loophole.

Google created an invisible form on a web page and then simulated a click on to bypass Safari's privacy controls. That didn't happen by accident. That's hostile code.

Safari treated a "submit" action as permission for the site to plant a cookie. It's hard to stop that in the browser without breaking some legitimate forms. As a result of this, all web forms which want to trigger a cookie event may have to have explicit "submit" buttons.

What a zealot. You may disagree with Apple's view of its customers, but at least it views us end users as its customers. Google has no such illusions: their customers are carriers, and secondarily manufacturers. You know, those same carriers and manufacturers who have been screwing us for years?

So yes, when it comes to serving its customers, I believe Apple (me as a customer) over Google (my carrier as a customer, and my information as its asset) any day of the week. And twice on weekends.

That's a rather harsh assumption coming from someone who didn't bother to read the title of GP's post. If you are confused as to what "W3C" stands for, perhaps you should actually check out w3.org instead of asking stupid questions.

It's like making a door without a key and a lock. Instead we post instructions on the door telling you when you are allowed to open the door and when not. We then sue people for by passing the security mechanism instead of simply adding a lock.

I love how one branch of the government is suing Google for privacy breach, while another is building a top secret domestic spy center (in Bluffdale Utah of all places), in absolute contempt of the US constitution. Is it that the right hand doesn't know what the left hand is doing or does the government think only it has the right to spy on us? And isn't Google hooked up to the NSA? How does that work? Boggles my fragile little mind. Maybe the whole thing's just a publicity stunt to keep the American Idol

I cannot believe that Google would ever do anything a nefarious as this. Only Microsoft is capable of this treachery.. Why next thing you know, they will be insinuating that there are security bugs in Firefox.

What's remarkable about the New York bill is that it would expand the state's database to include DNA from people convicted of almost any crime, even misdemeanors as minor as jumping over a subway turnstile.'

Interesting. Of course, it would make sense to simply collect a DNA sample in circumstances where previously they would have collected fingerprints. Going beyond that is expansion of their tracking.

Keep in mind, it's not "the government" that's asking for this. It's the people who elect the government. Maybe not all of them, but most of them.